GDPR FAQ

How do you monitor on-going compliance of their processes with Data Privacy legislation, regulation and policy?

Data Protection Officer performs these tasks

Do you use third parties to process our company data (including Cloud, downstream providers, etc), provide details of how you will ensure your third-party compliance with Data Privacy legislation, regulation, policy and our company Data Privacy requirements

AWS hosted servers

Do you comply with any accepted industry security standards and risk management methodologies

ISO 27001 and ISO 9001, both externally audited on an annual basis.

Do you allow customers to view your third-party security audit or certification reports?

Certificates are available if required.

Provide details of who is accountable for Data Privacy and responsible for compliance for our company data?

Purple support and security teams are responsible for this with support and oversight provided by Data Protection Officer.

Do you hold any certifications to demonstrate adequate Data Protection control?

ISO 27001 and 9001

If personal data is being transferred outside the EEA under this process, how will the you ensure your compliant with Data Privacy legislation, regulation and policy?

Provided through data subject portal allowing individuals to view all data held on them by Purple. Changes and deletion can be requested through this portal.

Is there a process in place for the correction of data? (example a subject has been marked as a male when in fact they are a female and want to correct that)

End users can view all their details through the portal and request changes. They will be able to change the data themselves in the next release of the platform.

What processes and SLAs will you use, to ensure timely reporting of any suspected breaches or incidents.

There will be an initial notification within 24 hours and a full report within 72 hours.

Do you have a documented security incident response plan?

Yes, this is based on ISO Standards

We are working on Privacy Impact Assessments right now, the guidelines of the new law says that we need to execute such a PIA for the data processing of purple Wi-Fi (due Wi-Fi tracking)

Data Protection Impact Assessments (DPIA's) only have to be completed for any new systems post 25th May 2018, there is no requirement to perform these for existing systems

Please provide an outline of the data that will be captured and the method of capturing. This should include grouping of data types e.g. personal (PI), operational etc.

Capture some PII data, from WiFi login (either via user-input web form or from social media network after user permission is granted), which is typically: name, date of birth, email, MAC address, and potentially a user's Facebook likes. This is configurable by the customer, the only compulsory PII info captured is email address, and there is the ability for the customer to add completely custom form inputs. Additional to this, Purple can also capture location data (MAC address and signal strength and/or approximated x/y coordinate), network/device data (IP addresses, connection times, data usage) and operational data (session state, etc). No financial data is collected or stored.

Please outline your data retention policies including any legal/compliance requirements. This should include data deletion as well as data anonymisation.

PII data is automatically removed after 13 months of inactivity, or on request. When anonymising, any data that can be used to identify an individual is removed, but session/network/demographic (age, gender) data is kept indefinitely.

What are the Supplier's Data Privacy Strategy, Framework, Policy, Standards and procedures?

ISO 27001, ISO 9001.

What Data Protection training and awareness is provided to leadership and colleagues?

Provided by DPO on an ongoing basis

Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted?

Yes, all providers are vetted against the requirements of EU data protection laws.

Does legal counsel review all third-party agreements?

Yes, all new agreements are reviewed by commercial legal and technical support teams.

Are all employees, contractors and third parties involved with the system subject to background screening e.g. vetted by a governing body?

Where required.

Is there an audit trail that can identify who and what personal data has been accessed?

There's a full audit trail of data access (and all portal usage) by user login, IP and datetime.

Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer information?

Part of standard employment terms.

Do you specifically train your employees regarding their specific role and the information security controls they must fulfil?

Every employee has access to online training regarding their role as well as the information security controls.

Do you have a robust starters, movers and leavers process in place to manage user access to systems, applications and data? Please provide details.

Detailed in HR processes and as part of ISO standards

Has all sensitive data been identified in the system?

Sensitive data is not collected.

Can you provide the physical location/geography of storage of a customer's data? (EU and EEA boundaries)

AWS Dublin data centre.

Can you ensure that data does not migrate beyond a defined geographical residency? (EU and EEA boundaries)

Standard within GDPR compliant AWS hosting.

Is customer data available on request in an industry-standard format?

All customer data can be downloaded in industry standard formats.

Do you document how you grant and approve access to customer data?

Yes, based on ISO Standards

Does the system allow user access control policies to be defined?

Yes, based on ISO Standards

Do you restrict, log and monitor access to your information security management systems?

Yes, based on ISO Standards

Do you have the capability to recover data for a specific customer in the event of failure or data loss? Please provide DR/BCP details.

Data will be securely stored in Dublin. Purple's infrastructure covers several zones in AWS Dublin so we'd be covered against a particular zone/data centre becoming unavailable. Amazon Web Services have additional EMEA hosting centres in London and Frankfurt, which would be our default option in the event of a Dublin failure.

Please confirm that any data that is handled by you is handled in compliance with information security policies?

Are changes made to virtual machines or moving of an image and subsequent validation of the image's integrity immediately notified to customers?

No, customers are not notified of changes to Purple's underlying infrastructure - Purple is a cloud environment where the underlying virtual machines are often upgraded and/or changed.

Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?

AWS standards

Are the security vulnerability assessment tools or services in use appropriate for a virtualised environment?

AWS standards

Are data input and output integrity routines implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Input Validation is implemented across the application.

Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Do you publish a list of all APIs available in the service and indicate which are standard and which are customised?

API Documentation

Are systems in place to monitor for security and privacy breaches and notify customers if a security or privacy event may have impacted their data?

In progress and in plan to be completed during Q1 2018.

Describe ways that the data can be entered, extracted and accessed to/from the system. This should include any formats including apis/csv's.

Data entry is user input through WiFi access, via network stats, or from customer's vendor location engines (depending on the vendor). Data can be viewed via the analytics portal where it can also be downloaded in CSV format, or can be extracted via API.

Describe the reporting and analytical capabilities of the system including any out of the box capability and any configurability.

See training manual.

Describe which reference data/master data is held within the system. Please provide a data definition dictionary including any front end configurable field definitions.

No customer-facing data dictionary available.

What mechanisms are there for the system to provide real-time data?

In-Memory database engines to provide the fastest response possible.

Describe what methods you have to ensure data integrity and error handling

Data Encryption, User Access Control Lists, Form Validation, Daily Snapshots and Backups in different Regions